Essentially, DDoS attacks are most often a coordinated attack from thousands of compromised "zombie" computers against a specific target—perhaps your website. It's not easy to defend against these attacks. Not only can DDoS attacks take down your services and ruin your customers' experience, but they can also lead to huge bandwidth overages and subsequent expenses.

In the next and third episode of this series, we'll move on to Incapsula CDN & Optimizer and other features such as compression and image optimization—most of this is available for free.

Incapsula is such an intriguing and sophisticated service that I hope to convince the editorial gods at Tuts+ to let me write more about it. If you have any requests for future episodes in this series or questions and comments on today's, please post them below. You can also reach me on Twitter @reifman or email me directly.

A Brief Recap of Incapsula

As I mentioned in part one, when you sign up for Incapsula, your website traffic will be seamlessly routed through its globally distributed network of powerful servers. Your inbound traffic is intelligently profiled in real time, blocking the latest web threats (e.g., SQL injection attacks, scrapers, malicious bots, comment spammers), and with higher-level plans, thwarting DDoS attacks. Meanwhile your outbound traffic is sped up with CDN & Optimizer. A lot of these features are provided for free, and you can try all of it without cost during their 14-day trials. If you have more questions already, check out the Incapsula FAQs.

Incapsula DDoS Protection

According to Imperva, "a recent industry study showed that some 75% of IT decision makers have suffered at least one DDoS in the past 12 months, and 31% reported service disruption as a result of these attacks."

When you join this service, Incapsula will assign you an IP address from our own IP range for routing traffic. A tunnel is then established between your origin servers (or routers/load balancers) and the Incapsula network. Once in place, this tunnel is used to route clean traffic from our network to your origin, and vice versa. You then broadcast the assigned IP addresses to your users via DNS, making these your nominal “origin” addresses.

Before we explain more about Incapsula advantages for AWS customers, let's walk through more about DDoS attacks and networking terminology.

How DDoS Attacks Operate

The image below (from Wikipedia) shows how an attacker leverages an untraceable network of computers and compromised "zombies" to bring a web application to its knees:

Incapsula DDoS protections work at the Application (Layer 7) and Network (Layers 3 and 4) of the Seven Layers of the OSI Model. Here's Wikipedia's guide to these layers for more detail:

While it may seem complex, these are essentially the layers that DDoS attacks use, as those are the ones that connect your website to Internet users and other computers on the Internet.

The Incapsula Five-Ring Approach to DDoS Protection

From a conceptual standpoint, Incapsula DDoS protection is based on a set of concentric rings around the application, each of which filters a different portion of the traffic. Each of these rings by itself can be easily bypassed; however, working in unison they stop almost all malicious traffic. While some DDoS attacks may be stopped at the outer rings, persistent multi-vector attacks can only be stopped by using all (or most) of them.

Ring 5: Client Classification vs. Volumetric Layer 7 Attacks. In some cases, attackers may use a volumetric application layer attack (e.g. HTTP flood) as a distraction intended to mask other more targeted attacks. Incapsula uses client classification to identify and filter out these bots by comparing signatures and examining various attributes: IP and ASN info, HTTP headers, cookie support variations, JavaScript footprint, and other telltale signs. Incapsula distinguishes between humans and bot traffic, between "good" and "bad" bots, and identifies AJAX and APIs.

Ring 4: Visitor Whitelisting and Reputation. After flagging and blocking the malicious volumetric traffic, Incapsula partitions the rest of the website traffic into "grey" (suspicious) and "white" (legitimate) visitors. This task is supported by the Incapsula reputation system.

Ring 2: Progressive Challenges. Incapsula applies a set of progressive challenges that are designed to ensure the optimal balance between strong DDoS protection and an uninterrupted user experience. The idea is to minimize false positives by using a set of transparent challenges (e.g. cookie support, JavaScript execution, etc.) to provide pinpoint identification of the client (human or bot, "good" or "bad").

Ring 0: Dedicated Security Team. Ultimately, your experience with Incapsula is supported by Imperva's team of experienced Security Operations Center professionals and 24x7 support staff. They proactively analyze the internal behavior of the application and detect irregular usage before any problem becomes widespread.

Furthermore, the Incapsula Web Application Firewall is PCI-certified (PCI was created by global credit organizations such as American Express, MasterCard, and Visa):

The PCI Security Standards Council is an open global forum, launched in 2006, that is responsible for the development, management, education, and awareness of the PCI Security Standards, including the Data Security Standard (PCI DSS), Payment Application Data Security Standard (PA-DSS), and PIN Transaction Security (PTS) requirements.

Incapsula DDoS Protection for AWS

Whether you host your application with AWS or not doesn't actually matter, because the DDoS protective capabilities of the Incapsula solution will safeguard your website. But, if you are an AWS customer, do not be fooled into thinking Amazon will fully protect you—Incapsula provides significant additional protections.

Like most hosting platforms, AWS is not a security platform. While it offers basic DDoS mitigation capabilities, such as SYN cookies and connection limiting, it's not built to defend hosted servers and applications. If your web server gets hit by an application (layer 7) DDoS attack, AWS will not protect you. Worse yet, if you suffer a massive network (layers 3 and 4) DDoS attack, you will be charged for the additional bandwidth and receive a huge bill at the end of the month. Anyone who's dealt with Amazon customer service knows getting refunds isn't always easy.

Incapsula complements AWS with its cloud-based DDoS protection service. This service enhances AWS’s basic security capabilities so that your critical applications are fully protected against all types of DDoS attacks.

Of course, if you're using Amazon's DNS service Route53, it's just as easy to configure your site as I described in part one with my generic DNS service.

Simply log in to the Route53 management console and then browse to your domain record sets. From the list of records, select the subdomain you are adding to Incapsula and edit the record in the Edit Record Set dialog.

If you're using a CNAME, it looks like this:

If you're using a www. or naked domain and an A record, it looks like this:

Incapsula servers perform robust, deep packet inspection to identify and block malicious packets based on the most granular of details. This permits them to instantly examine all attributes of each incoming packet, while simultaneously serving hundreds of gigabits of traffic at an inline rate.

And yes, you can still use your CloudFront domain for serving static files while using Incapsula for DDoS mitigation and AWS's Route 53 DNS.

Managing Your Site Security With Incapsula

I reviewed the initial elements of this in episode one; once your site is configured, you'll see it listed on the dashboard:

The Incapsula Settings provide you complete control over its wide variety of powerful features. You can see the DDoS configurations from the Web Application Firewall (WAF) sub-menu:

From there, you can configure the behavior of your DDoS. Under Advanced Settings you can instruct Incapsula on when and how to challenge suspected attackers:

You can also whitelist IP addresses, URLs, certain countries and more:

IncapRules Filter Events and Trigger Actions

The dashboard's Events area helps you filter, identify and begin responding to attacks of all sorts, including DDoS:

With help from here or from your own specifications, you can configure rules to filter, alert you and respond automatically to these kinds of attacks. They are called IncapRules. The IncapRules sub-menu provides complete descriptions about how to define more detailed rules.

Adding and managing the List of Rules is quite easy:

IncapRules allow you to take advantage of the Incapsula network's entire range of powerful traffic inspection abilities. With them you can create custom policies based on HTTP header content, geolocation, and much more.

IncapRules syntax relies on descriptively-named ‘Filters’ and a set of logic operators. Combined these are used to form a security rule (a.k.a. ‘Trigger’) that leads to one of the pre-defined ‘Actions’. Here are a few examples:

In this image, we're configuring a rule to require cookies if more than 50 sessions are active while allowing higher activity from specific IP addresses or Google Search bots.

To counter brute force attacks, you can deploy a relatively simple rule, to limit the number of subsequent POST requests to your login page. For example, this simple Filter will be triggered by more than 50 subsequent POST requests made by inhuman (non-browser) visitors within the span of a minute:

Rate > {post-ip;50} & ClientType != Browser [Block Session]

Once triggered, such rule can respond with any number of actions. In this case, the rule is set to [Block Session] that will instantly terminate the session. Alternately, you can set the action to [Alert], which will transparently notify you about the incident with email and GUI messages.

Of course, generic rate thresholds can disrupt the user experience improperly. For example, you might want to restrict this to your API and higher-than-normal request rates. One thing you can do is to tweak the rule syntax with the [URL] filter, to create a rule that won’t be triggered by POST requests to API URLs:

Rate > {post-ip;50} & URL != /api & ClientType != Browser [Block IP]

When employing multiple filters with various logical operators (e.g. and/or, larger/smaller than, and, etc.) to link between them, the IncapRules filter set offers limitless combinations—letting you create custom security policy for every type of scenario.

What Will We Explore Next?

I hope you're enjoying learning about Incapsula DDoS Protection. When I gave the Incapsula solution a try, I was thoroughly impressed with the simple integration and broad array of powerful protective capabilities. If your website application might be susceptible to large-scale attacks, its DDoS protections will prove incredibly valuable and cost-efficient.

Next up, I'll delve deeply into Incapsula CDN & Optimizer, starting with the free plan, which includes a content delivery network, minimization, image compression, TCP Optimization, Connection Pre-Pooling and many more features.

Please feel free to post your questions and comments below. You can also reach me on Twitter @reifman or email me directly. You can also browse my Tuts+ instructor page to read the other tutorials I've written.